Privacy-Focused Fitness Tracker Alternatives

Fitness trackers collect some of the most sensitive personal data: your heart rate, sleep patterns, menstrual cycle, workout locations, and daily activity levels. Fitbit/Google, Garmin Connect, and Strava sell or expose this data. This guide covers open-source alternatives that keep your biometric data under your control.

Why Commercial Fitness Apps Are Dangerous

Fitbit/Google: Google acquired Fitbit in 2021. Fitbit data is subject to US law enforcement requests
Strava: The 2018 global heatmap accidentally revealed classified military base layouts from soldiers’ GPS tracks
Garmin Connect: Data exposed in a 2020 ransomware attack; the company paid the ransom
Apple Health: Stays on-device with strong encryption, but iCloud sync exposes it

Gadgetbridge (Android — Open Source)

Gadgetbridge uses fitness wearables without any manufacturer app or cloud sync. All data stays on your device.

Source: codeberg.org/Freeyourgadget/Gadgetbridge
Available on F-Droid
Supports 200+ devices including Mi Band, Amazfit, PineTime, Bangle.js
No network permissions required
Data stored in SQLite on-device

Setup:

Install from F-Droid
Enable Bluetooth → Pair your device in Gadgetbridge
Never install the manufacturer app

Export data for analysis:

import sqlite3
import pandas as pd

conn = sqlite3.connect('gadgetbridge.db')

steps = pd.read_sql_query("""
    SELECT DATE(TIMESTAMP/1000, 'unixepoch') as date,
           SUM(STEPS) as total_steps
    FROM MI_BAND_ACTIVITY_SAMPLE
    GROUP BY date
    ORDER BY date DESC
    LIMIT 30
""", conn)

print(steps.to_string())

OpenTracks (Android — Open Source)

Records GPS-based activities with no cloud sync:

Source: github.com/OpenTracksApp/OpenTracks
Available on F-Droid
Exports to GPX, KML, and CSV
No network permissions

Traccar Self-Hosted GPS Server

# Install Traccar
curl -o traccar.zip https://www.traccar.org/download/traccar-linux-64.zip
unzip traccar.zip && sudo ./traccar.run
sudo systemctl enable --now traccar
# Open at http://localhost:8082

Use the Traccar Client app (on F-Droid) to send GPS data to your own server instead of any commercial platform.

Manual Logging Script

#!/bin/bash
# fitlog.sh — simple local fitness log

LOG="$HOME/.fitness/log.csv"
mkdir -p "$HOME/.fitness"

if [ ! -f "$LOG" ]; then
    echo "date,activity,duration_min,distance_km,notes" > "$LOG"
fi

DATE=$(date +%Y-%m-%d)
read -p "Activity (run/cycle/walk/swim): " ACTIVITY
read -p "Duration (minutes): " DURATION
read -p "Distance (km, optional): " DISTANCE
read -p "Notes: " NOTES

echo "${DATE},${ACTIVITY},${DURATION},${DISTANCE:-},${NOTES}" >> "$LOG"
echo "Logged: $ACTIVITY on $DATE"

Device Recommendations for Privacy

Device	Privacy Pairing	Cloud Required
PineTime	Gadgetbridge + InfiniTime	No
Xiaomi Mi Band 7/8	Gadgetbridge	No
Amazfit Band 5/7	Gadgetbridge	No
Bangle.js 2	Gadgetbridge	No
Fitbit (any)	None (cloud-only)	Yes
Apple Watch	Apple Health (local)	Optional

PineTime is fully open hardware with open-source firmware — the most privacy-respecting option, though more limited in features than commercial devices.

Privacy Analysis: What Each App Collects

Fitbit (Google):

Heart rate, blood oxygen, sleep (stored on Google’s servers)
GPS location for all outdoor activities
Weight, nutrition, medication data
Subject to US government requests without warrant (via ECPA 2018 ruling)
Data used to train Google’s health ML models
Retention: Indefinitely unless you delete manually

Garmin Connect:

Complete activity history with GPS
Heart rate variability data (used for stress assessment)
Sleep data
Incident reporting (crashes, falls)
Smart notifications (who called, which apps notified)
Subject to US law enforcement requests
Retention: 7 years minimum

Strava:

GPS for every exercise
2018 data breach: Soldiers’ activities revealed classified military bases globally
Recent focus on competitive leaderboards (shares activity data)
Social graph (your friends, followers)
Location data sold to urban planners and governments
Retention: Indefinitely

Apple Health:

Data stays on your device by default
Optional iCloud sync encrypts with your key, but Apple has master key for legal access
Data cannot be exported easily
Better than cloud fitness services but still proprietary

Gadgetbridge: Complete Setup Guide

Gadgetbridge is a single Android app that replaces all manufacturer fitness apps. After setup, delete the original app completely.

Full Installation Steps

# 1. Install F-Droid (the privacy-respecting app store)
# Download from f-droid.org on your Android device

# 2. In F-Droid, search for "Gadgetbridge"
# Install the latest version

# 3. Enable Bluetooth and ensure your wearable is nearby
# The app will prompt you to pair during first run

# 4. DO NOT install the manufacturer's app (Mi Fit, Amazfit, Garmin)
# Gadgetbridge handles all communication

# 5. Verify no network access (on Android 12+):
adb shell dumpsys package nodomain.freeyourgadget.gadgetbridge | grep "INTERNET\|NETWORK"
# Should show nothing or "false"

Export All Fitness Data for Personal Analysis

Gadgetbridge stores data in SQLite. Extract it for analysis:

# Database location
# /sdcard/Android/data/nodomain.freeyourgadget.gadgetbridge/files/gadgetbridge.db

# Via adb
adb pull /sdcard/Android/data/nodomain.freeyourgadget.gadgetbridge/files/gadgetbridge.db

# Analyze with Python
python3 -c "
import sqlite3
import pandas as pd

conn = sqlite3.connect('gadgetbridge.db')

# List available tables
tables = conn.execute(\"SELECT name FROM sqlite_master WHERE type='table'\").fetchall()
print('Available tables:', [t[0] for t in tables])

# Example: Steps last 30 days
steps = pd.read_sql_query('''
    SELECT DATE(TIMESTAMP/1000, \"unixepoch\") as date,
           SUM(STEPS) as steps
    FROM MI_BAND_ACTIVITY_SAMPLE
    WHERE TIMESTAMP > strftime(\"%s\", \"now\", \"-30 days\") * 1000
    GROUP BY date
    ORDER BY date DESC
''', conn)

print('\\nSteps (last 30 days):')
print(steps)

# Export to CSV
steps.to_csv('steps_30days.csv', index=False)
"

This gives you full data ownership for personal analytics.

Self-Hosted Fitness Data Server

For advanced users, store fitness data on your own server:

# Option 1: Traccar (tracks GPS, shows location history)
wget https://www.traccar.org/download/traccar-linux-64.zip
unzip traccar-linux-64.zip
sudo ./traccar.run install

# Access at http://localhost:8082
# Add device UUID from Traccar Client app on your phone

# Option 2: Immich (photo-based activity tracking)
# Docker-based photo storage with timeline view
# Pairs well with OpenTracks (exports GPX files)

OpenTracks exports to GPX, which can be imported to your self-hosted server for long-term storage and analysis.

Wearable Selection Strategy

If you own Xiaomi Mi Band 7/8 or Amazfit:

Use Gadgetbridge immediately
Delete the original app
Never create a Xiaomi account
Data stays on your phone forever

If you own Fitbit/Apple Watch/Samsung Galaxy Watch:

Cloud sync is mandatory
Choose the lesser evil:
Apple Watch (on-device storage + optional iCloud)
Fitbit (accept Google access)
Samsung (accept Samsung access)
Do not use commercial fitness apps with these

If buying a new device:

Prioritize Gadgetbridge compatibility
Prefer open hardware: PineTime or Bangle.js
Xiaomi Mi Band offers best balance of features + Gadgetbridge support

Monthly Privacy Audit

Once per month, verify your setup:

# 1. Confirm no fitness app has internet permission
adb shell pm list packages | grep -i "fit\|health\|activity\|garmin\|strava"
# For each result, check:
adb shell dumpsys package [PACKAGE_NAME] | grep "android.permission.INTERNET"

# 2. Confirm Gadgetbridge still has zero network access
adb shell dumpsys package nodomain.freeyourgadget.gadgetbridge | grep "INTERNET"

# 3. Check device storage for synced data
adb shell "find /sdcard -type f -name '*fitness*' -o -name '*activity*' -o -name '*health*' 2>/dev/null" | head -20

# 4. Review Gadgetbridge data export
# Weekly export to encrypted USB backup

Built by theluckystrike — More at zovo.one